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In a partially decentralized control architecture, more than one but less than ail nodes 
have supervisory capability. This paper describes an approach to choosing the number 
of supervisors in such an architecture, based on a reliability vs. cost trade. It also con- 
siders the implications of these results for the design of navigation systems for satellite 
formations that could be controlled with a partially decentralized architecture. Using 
an assumed cost model, analytic and simulation-based results indicate that it may be 
cheaper to achieve a given overall system reliability with a partially decentralized archi- 
tecture containing only a few supervisors, than with either fully decentralized or purely 
centralized architectures. Nominally, the subset of supervisors may act as centralized 
estimation and control nodes for corresponding subsets of the remaining subordinate 
nodes, and act as decentralized estimation and control peers with respect to each other. 
However, in the context of partially decentralized satellite formation control, the absolute 
positions and velocities of each spacecraft are unique, so that correlations which make 
estimates using only local information suboptimal only occur through common biases and 
process noise. Covariance and monte-carlo analysis of a simplified system show that this 
lack of correlation may allow simplification of the local estimators while preserving the 
global optimality of the maneuvers commanded by the supervisors. 


Introduction 

A fundamental issue that confronts designers of 
guidance, navigation, and control systems for dis- 
tributed systems such as satellite formations is the 
trade between centralized and decentralized architec- 
tures. Figure 1 illustrates schematically the major 
characteristics of centralized, decentralized, and “par- 
tially decentralized” architectures. In describing these 
scenarios, this paper uses the following definitions: 

Capable Node A spacecraft that has sufficient ca- 
pability to function as either the supervisor node 
in a centralized architecture, or a “peer” node in 
a decentralized architecture. In this paper, vari- 
ables with a subscript c refer to capable nodes. 

Subordinate Node A spacecraft that may only 
function as one of the subordinates in a central- 
ized or partially decentralized architecture. Vari- 
ables with subscript s refer to subordinate nodes. 

As Figure 1(a) shows, a centralized controller en- 
forces control actions onto a set of subordinate nodes, 
whereas in the decentralized control architecture of 
Figure 1(b), each member of a confederation of peers 
sharing a common objective determines its own control 
actions. In order to optimally compute these controls, 
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however, each local node must generally have access 
to a globally optimal state estimate. In the central- 
ized navigation architecture, which Figure 1(d) show's, 
the supervisor node determines a globally optimal es- 
timate of the full state space by receiving all the data 
from all the subordinate nodes. Decentralized esti- 
mation generally ruires a fully connected network, as 
Figure 1(e) shows, but the data transmission ruire- 
nients may be minimized as Reference 1 describes. 
Depending on the mechanization of the controller, each 
node may only need to estimate a subset , projection, 
or some combination of the globally optimal state es- 
timates. 

Figures 1(c) and 1(f) illustrate one possibility of an 
intermediate or hybrid option, in which the architec- 
ture may be partially decentralized. In this case, more 
than one node but fewer than all nodes may be ca- 
pable of controlling the formation. In Figure 1(c), 
the top and bottom spacecraft enforce control action 
onto their nearest neighbors, and in Figure 1(e), they 
receive navigation measurements from all the other 
spacecraft. The dashed connections in Figure 1(c) also 
show that either of the capable nodes may take over 
the leadership of the formation, should its counterpart 
fail. An alternative but similar architecture would uti- 
lize a subset of the nodes as backups to the supervisor. 
Note that the partially decentralized architecture is 
not necessarily hierarchical, since it does not of itself 
abstract lower-tier information at higher tiers. 

This work only considers the architecture trade as it 
applies to control of the distributed system. Other re- 
quirements may intrinsically dictate a centralized con- 
figuration, such as with interferometry missions that 
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a) Centralized Control 



d) Centralized Navigation 





b) Decentralized Control 



e) Decentralized Navigation 




Fig. 1 Architecture Comparison. Subordinate nodes are unshaded. In the top row, arrows represent 
maneuver commands. In the bottom row, arrows represent measurement transmissions. Dashed arrows 
in the right column represent tranmissions when one of the capable nodes has failed. 


have a single “combiner” spacecraft- flying in formation 
with several “collector 1 * spacecraft. However, from the 
standpoint of control, this combiner spacecraft does 
not have to coincide with the supervisor node in the 
control network. 

A fundamental question for partially decentralized 
systems is how many supervisory nodes the system 
should possess. One avenue for addressing this ques- 
tion is to recognize that a centralized architecture with 
a single capable node in charge of simple subordinates 
might be the simplest and cheapest approach, if not 
for the fact that a failure of the supervisor would end 
the mission. On the other hand, a fully decentralized 
confederation of peers might be more expensive than 
necessary to achieve the required mission reliability, 
especially for larger formations. The partially decen- 
tralized, or hybrid approach, would therefore seem to 
be the most desirable option in many cases. This paper 
derives a model of the static reliability of a partially 
decentralized system that, coupled with an assumed 
cost model, allows for the optimization of the cost vs. 
reliability trade. 

The nodes chosen as supervisors in such a design 
trade then each serve as centralized estimation and 
control nodes for corresponding subsets of the remain- 
ing subordinate nodes. Each supervisor considers the 
measurements of its subordinates, as well as its own 
data, as local information. The controls each supervi- 
sor computes based on this local information will be 
optimal with respect to its own “sub-formation,” but 


suboptimal with respect to all the nodes collectively. 
To compute globally optimal controls, the supervisors 
may exchange data with one another, e.g. via the min- 
imal transmission algorithm of Speyer . 1 In this sense, 
the supervisors act as decentralized estimation and 
control peers with respect to each other. 

For partially decentralized architectures, the next is- 
sue is the partitioning of the global state space among 
the various local estimators. In most mission con- 
cepts involving satellite formation flying, the absolute 
positions and velocities of each spacecraft are unique 
and dynamically uncorrelated. Any correlations which 
do occur arise through common biases and process 
noise. It is this correlation among the local state 
spaces that makes local estimates suboptimal with re- 
spect to a global estimate, necessitating additional 
data exchange to compute the globally optimal con- 
trols. Sufficiently weak correlations among the local 
estimates may therefore allow simplification of the lo- 
cal estimators and/or the data exchange framework 
while preserving the global optimality of maneuvers 
derived from the estimates. However, there are several 
issues besides global optimality that may dictate the 
need for knowledge of the global state space. Among 
such issues are requirements for relative state knowl- 
edge, either for control or collision avoidance, fault- 
detection considerations, and science/ payload require- 
ments. 

Many concepts for formation flying missions rely on 
relative GPS as a sensor. Some works have indicated 
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that relatively significant correlations exist in the rela- 
tive states of spacecraft estimated using GPS. 2,3 These 
works assumed the presence of GPS Selective Avail- 
ability (SA), and studied relatively low altitude Space 
Shuttle missions that fly through the top of the iono- 
sphere, so that measurements by single frequency re- 
ceivers could be expected to have significant channel- 
dependent range biases. These works also utilized GPS 
receivers with only a few channels so that it was diffi- 
cult to ensure that all satellites tracked by all receivers 
were common, which would have tended to allow for 
bias cancellation in the relative states computed from 
their solutions. More recently, with the advent of 
“all-in-view” GPS receivers for space applications and 
the end of SA, a study 3 4 has indicated that, at al- 
titudes above the ionosphere where many currently 
proposed formation flying missions will orbit, channel- 
dependent range biases may be insignificant, so that 
significant correlations among the local state spaces 
do not arise. This paper provides some results based 
on covariance and monte-carlo analysis of a simplified 
system to show that this lack of correlation may allow 
simplification of the local estimators, while preserving 
the global optimality of the maneuvers commanded by 
the supervisors. 

The remainder of this paper first describes the re- 
liability/cost trade, including assumptions that sim- 
plify the analysis, analytic models for the reliability, 
a simple cost model, and results of some case studies. 
The next section reviews the minimal data transmis- 
sion requirements for globally optimal control for the 
partially decentralized system, and examines how the 
navigation architecture may be simplified if the corre- 
lations among the local state spaces are not significant. 
The final section provides a summary and conclusions, 
with suggestions for future work. 

Reliability vs. Cost Trade 

One of the inferred benefits of decentralized con- 
trol approaches is that they will be more reliable due 
to their non-hierarchical and inherently parallel struc- 
ture. The purpose of the study reported here was to 
perform some simple static reliability calculations to 
investigate this claim, and in particular to find the 
most cost-effective architecture that will satisfy a spec- 
ified mission reliability requirement. 

An additional complexity is that any node may 
be be built with redundant “strings” so that it can 
tolerate one or more failures. The analysis below in- 
corporates this concept, and it appends a number to 
the subscripts of 7, the probability of failure, and c, 
the system cost, to indicate the number of redun- 
dant strings per node. For example, q c 2 is the failure 
probability of two-string capable node, and c c 2 is its 
associated cost. Nominally, parallel redundancy would 
imply that q cn = 7^. However, adding redundancy 
also increases weight and complexity, and according 


to Reference 5, experience has shown that there are 
diminishing returns to increasing reliability through 
redundancy. Reference 5 addresses this though para- 
metric power laws whose exponents depend on either 
weight or cost ratios. To avoid the need for baseline 
costs or weights which these models require, this study 
penalizes the use of additional strings so that 

Qcn>C I* 0) 

In particular, this study assumes that 

Qin = g, 1 *' 06 ". (‘2) 

where i — c, s. Figure 2 compares the exponents 
of Eqs. (1) and (2). Although Eq. (2) is not em- 



number of strings 

Fig. 2 A model of diminishing returns to redun- 
dancy: the power to which the single-string failure 
probability, q t 1, is raised as additional strings are 
added, in comparison with the ideal case in which 
the exponent is n. 

pirical, Figure 2 illustrates that the failure probabil- 
ity decreases less significantly after the third string, 
which is consistent with the observation that very few 
aerospace systems have more than three strings. 

This analysis does not consider “design flaws, 11 
which would be common failure modes to all similar 
nodes. This work assumes that each failure is an in- 
dependent event. This analysis also does not consider 
that there are any improvements in reliability due to 
a learning curve as multiple copies of a design are pro- 
duced. Each node of a similar type costs the same to 
produce or replace as any other, whether or not several 
or many of the same type have already been built. 

In estimating costs, this work considers only the ini- 
tial cost to build the formation. One could consider as 
well expected replacement costs; however, unless the 
failure probabilities are quite large, the expected value 
of this cost may be quite small in comparison to the 
deterministic initial build cost. One must also decide 
how many “rounds” of replacements to consider, as 
well as how to handle mean time between failures, etc. 
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Static Reliability Model 

Let I'm represent the mission reliability. As stated 
above, the purpose of this study is to find the most 
cost-effective architecture that will satisfy a specified 
mission reliability, e.g. r\f = 0.95. The reliability is the 
probability that the system works, or in the present 
case, that at least some minimum number, kmin, out 
of the k spacecraft control systems operate correctly: 

r M - Pr( > k m in out of k work ) (3) 

Centralized Architecture 

Figure 3 is a reliability diagram for the centralized 
architecture. In this diagram, each switch represents 
a node or spacecraft, and an open switch indicates a 
total failure of that node’s control system. For the mis- 
sion to operate, k 1utn of the switches must be closed. 
The probability of each switch being closed is noted 
above it in the figure. 


Hmm 



Fig. 3 Centralized Architecture Reliability Dia- 
gram 

For the centralized architecture, regardless of what 
happens with the rest of the nodes, if the master fails, 
a mission failure occurs. Given that the master works, 
at least k m i n - 1 subordinates must work in order 
that k m in total nodes function correctly. Therefore, 
the mission reliability is the probability that both the 
master works and that at least fc min — 1 out of k — 1 
subordinates work: 

r Me = Pr( master works ) 

x Pr( > kmin - 1 of k - 1 subs, work ) (4) 

As Figure 3 indicates, the probability that the n- 
string master node works is 1 — q cn . For the sub- 
ordinate nodes, the binomial distribution gives the 
probability that exactly j out of k - 1 subordinates 
operate: 

e;”i(i)= (*T l )( (5) 


The probability that at least fc rmn - 1 out of k — 1 
subordinates operate is then 

k- 1 

Pr( > k m in — 1 ) = E 

j — k rr, j r> 1 

From Eqs. (4) and (6), the total reliability for the 
centralized scenario is therefore 

k-i 

I'A fc“ (I - 7cn) ^ P£?iU). (?) 

j — k m i n I 

Decent mltzed Architecture 

Figure 4 is a reliability diagram for the decentral- 
ized architecture. As the figure indicates, this case is 
structurally identical to the subordinate node network 
in the centralized architecture, but it does not rely on 
the operation of a master node. Therefore, the decen- 
tralized system’s reliability is 

k 

E P ™. W 

i—k m t n 

where 

= ( 9 ) 

is the probability that exactly * out of the k peers 
operate correctly. 





At least k mim out of k 
peers must work 


Fig. 4 Decentralized Architecture Reliability Di- 
agram 

Partially Decentralized Architecture 

Figure 5 is a reliability diagram for the partially de- 
centralized or hybrid architecture. For the mission to 
operate, kmin of the nodes must operate, but of those 
kmin operating nodes, at least one out of the ( capa- 
ble nodes must work in order to serve as the master. 
Therefore, the reliability of the hybrid architecture is 

r M h = Pr( > 1 of t cap. nodes work ) 

x Pr( “enough” subs, work ) (10) 
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At least I out of £ 
capable nodes must work 


At least out of k 
total nodes must work 


Fig. 5 Decentralized Architecture Reliability Di- 
agram 

There are several ways of looking at the problem of 
computing the probability Eq. (10) describes. The ap- 
proach this paper takes is to consider the following 
four distinct cases: 

1. k - t > k min - 1 and £ < k min . In this case 
there are not enough capable nodes to make up 
the required complement of fc m , n total nodes, so 
at least some subordinate nodes must function. 

2. k - £ > kmin - I and * = kmin • In this case there 
are exactly enough capable nodes so that if they 
all work, no subordinates need to operate. 

3. k - £> kmin - 1 and £ > k min . In this case there 
are more than enough capable nodes so that if 
they all work, no subordinates need to operate. 

4. k - t < k min - 1 and £ > k min . In this case there 
are too few subordinate nodes, so that more than 
one capable node must work in order to achieve 
kmin total operating nodes. 

Eqs. (11 )— ( 13) capture all four cases: 


nvi/i 


where 

^min 


l max 


t max kt t. 

£ ir(>) £ Pk-AJ) 

• = 1 min J — k m i n * 

f 

+ £ Pf n {i) ( 11 ) 

• mar 


1 

1 

if k — £ k m i n 
otherwise 

- 1 



(12) 

- 1 

if £ > k m i n 
otherwise 

(13) 



In Eq. (11), all summations only run forward; if the 
upper index is greater than the lower index, the sum- 
mation is zero by assumption. 


When £ < Cases 1 and 2 apply. If there are 

too few capable nodes to make up the required com- 
plement of k m i n total nodes, Eq. (13) stops the first 
summation over i in Eq. (1 1) at f, and the nested sum- 
mation over j always starts with enough subordinate 
nodes to make up the deficit of capable nodes. 

When £ > k mtn , Cases 3 and 4 apply. In both of 
these cases, the second summation over i in Eq. (11) 
captures the probability that more than Ar mtn capable 
nodes may operate. Eq. (13) generates these cases by 
stopping the first summation and starting the second 
summation when there are no more subordinate nodes 
available to include under the nested summation over 
j . When also k - £ < k min - 1, Case 4, where there 
are too few subordinate nodes, applies. Eq. (12) gen- 
erates this case by starting the first summation over i 
in Eq. (11) with enough capable nodes to achieve kmin 
total operating nodes. 

Cost Model 

The cost to build the centralized architecture is the 
cost of a fc-node formation, using an n- string master 
and k — 1 m-string subordinates: 

c co — r cn + (k — l)c am - (14) 

The cost to build the fully decentralized architecture 
is the cost of a k- node formation using n-string peers: 

Cdo k ' C ct \- (16) 

The cost to build a partially decentralized architecture 

is the cost of £ capable nodes with n strings each, plus 
the cost of k — £ subordinate nodes with in strings each: 

Cco ~ £Ccn + (k ~ £)c S m ♦ (16) 

This study presumes an inverse correlation between 
reliability and cost: 

Cd oc q~i (17) 

C,1 OC qj* (18) 

This model is consistent, with the concavity of the 
models of Reference 5. To scale the various costs, 
assume that a single-string, capable node having a fail- 
ure probability of 0.1 costs one unit. Assume that 
a comparably reliable subordinate node costs half as 
much, c s i = 0.5r c i, and that adding a comparable ex- 
tra string to a node costs three-quarters as much as the 
node itself, c is - 0.75c, j. As a consequence of these 
further assumptions. 

Cel = 0.1 9c -, 1 (19) 

c,] = 0.05?7]\ (20) 

Case Studies 

This section examines four sets of mission parame- 
ters, k and k min < corresponding to “small” and “large” 


5 OP 1 1 


American Institute of Aeronautics and Astronautics Paper DRAFT 


formations. All cases have a specified requirement of 
an overall reliability, r M . To achieve this requirement, 
one may vary the design parameters ? c i, q s i, n and 
m, and select a centralized, decentralized, or a par- 
tially decentralized hybrid architecture, with the goal 
of achieving the minimum mission cost. 

For the decentralized architecture, one may choose 
a design point for each number of strings, n, that ex- 
actly satisfies the reliability requirement, which may 
be found by solving Eq. (8) for q cn \ choosing the largest 
appropriate root will minimize the cost. Eq. (2) gives 
the resulting q c \, and one may select the number of 
strings that minimizes the build cost, Eq. (15). 

For the centralized architecture, one may vary both 
q cl and q s i to achieve the reliability requirement. 
Therefore to find the minimum cost, one must mini- 
mize Eq. (14) with respect to either q c \ or q s i, subject 
to Eqs. (7) and (2). One may then select the number 
of strings that minimize the costs among the various 
possible combinations of n and m. This study limited 
the number of strings to a maximum of six. As a result 
of the diminishing returns to redundancy Eq. (2) im- 
poses, the optimal number of strings never exceeded 
five, and the differences in cost between three, four, 
and five string optima were only a few percent. When 
preliminary studies did not impose diminishing returns 
to redundancy, unrealistically large numbers of strings 
often arose as the optima. 

One may optimize the hybrid architecture in a sim- 
ilar fashion to the centralized architecture, with the 
additional degree of freedom to choose the number of 
capable nodes. 

Tables 1 through 5 summarize the results of fol- 
lowing the procedure above. The mission parameters 
all reflect ac tual or proposed missions. The notation 
(k,kminJ) is a handy shorthand for referring to each 

case. 

The StarLight (ST 3) mission 6 inspires the (2/1 J) 
and (3,2,0 cases. This mission originally had a 
(3,2,1) configuration, but was trimmed to a (2,2, 1) 
configuration to save costs. The Magnetospheric 
Multi-Scale, 7 or MMS, and Stellar Interferometer, 8 or 
SI, missions inspire the (6,4,f) case and the (30,20,f) 
case, respectively. Note that for the (2, 2, £), the hybrid 
architecture does not apply, since £ = 1 corresponds 
to the centralized case and £ = 2 corresponds to the 
fully decentralized case. 

Consider first the scenario without multiple strings, 
which Tables 1 and 2 present. For a 95% reliability 
requirement, Table 1 shows that the minimum cost 
architecture, under the assumptions of this study, is al- 
ways the hybrid or partially decentralized option. It is 
interesting that only £ = 4 capable nodes give the mini- 
mum cost for the large (30, 20, £) formation. The fully 
decentralized architecture is more cost-effective than 
the centralized for small and medium formations that 
can tolerate a few failures, i.e. the (3,2,^) and (6,4,/) 


cases. The centralized architecture is cheaper than the 
fully decentralized for the minimal (2, 2, /) formation 
and for the large (30,20,f) formation. For a 99% reli- 

Table 1 Results for mission reliability r Af = 0.95, 
single-strings only 



k 

2 

3 

6 

30 


kmin 

2 

2 

4 

20 

Dec. 

qd 

.025 

.135 

.153 

.221 


CM 

7.90 

2.21 

3.91 

13.6 


?opt 

- 

2 

3 

4 

Hyb. 

qc\ 

- 

.154 

.185 

.266 


9*1 

- 

.101 

.123 

.212 


CM 

- 

1.79 

2.84 

7.65 


q c i 

.030 

.041 

.038 

.036 

Cen. 

9s l 

.021 

.095 

.113 

.191 


CM 

5.76 

3.47 

4.82 

10.3 


ability requirement, Table 2 shows that the minimum 
cost architecture remains the partially decentralized, 
with the same numbers of capable nodes for each case 
as for the 95% reliability requirement. The fully de- 
centralized architecture is more cost-effective than the 
centralized for all but the (2,2,^) cases. 

Table 2 Results for mission reliability r A / = 0.99, 
single-strings only 



k 

2 

3 

6 

30 


kfjun 

2 

2 

4 

20 

Dec. 

qc l 

.005 

.059 

.009 

.176 


CM 

39.9 

5.09 

7.08 

17.1 


£ opt 

- 

2 

3 

4 

Hyb. 

qd 

- 

.067 

.103 

.196 


9 si 

- 

.043 

.068 

.169 


CM 

- 

4.12 

5.13 

9.74 


qd 

.006 

.009 

.009 

.009 

Cen. 

9 si 

.004 

.034 

.052 

.137 


CM 

29.1 

14.2 

16.3 

21.7 


For the single-string cases, it appears that the fully 
decentralized architecture's lower node-level reliabil- 
ity requirements outweigh its additional node-level 
costs in most cases. The exceptions are the minimal 
(2, 2, £) configurations, and the lower (95%) reliability 
(30,20,^) case. The hybrid partially decentralized ar- 
chitecture allows the designer the flexibility to utilize 
a cheaper intermediate architecture than either. 

For the (2,2 , f ) case, the fully decentralized peer 
nodes' reliability requirement is of the same order 
as the master and subordinate nodes' reliability re- 
quirements (about midway between). Since its cost is 
therefore of the same order as the cost for two mas- 
ter nodes, it is more expensive than the centralized 
architecture. 

For the (30,20,0 case, the fully decentralized peer 
nodes' reliability requirement is lower than the cen- 
tralized nodes'. However, many relatively expensive 
peer nodes are required for this configuration. When 
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the overall mission reliability requirement is higher, 
it is cheaper to achieve using less reliable but rela- 
tively more expensive capable nodes in a decentralized 
network. As the overall mission reliability drops, the 
converse appears to be true. The fact that only four 
capable nodes allows the hybrid architecture to achieve 
the same reliability at much lower cost indicates some 
sense of the inefficiency of the fully decentralized ar- 
chitecture for this large formation. 

Next, consider the effects of allowing for multiple 
strings. Tables 3 through 5 present these results. At 

Table 3 Results for mission reliability vm — 0.95 



k 

2 

3 

6 

30 


kmin 

2 

2 

4 

20 


11 

3 

2 

2 

2 

Dec. 

Qc\ 

.173 

.307 

.330 

.410 


CM 

2.88 

1.71 

3.18 

12.8 


?opt 

- 

2 

2 

4 


Tl 

- 

2 

2 

1 


m 

- 

2 

2 

2 

Hyb. 

Qc t 

- 

.338 

.318 

.316 


Q*i 

- 

.244 

.308 

.388 


cm 

- 

1.39 

2.24 

7.14 


n 

3 

3 

3 

3 


m 

3 

2 

2 

2 

Cen. 

Qc l 

.191 

.210 

.198 

.182 


Q* i 

.153 

.276 

.297 

.391 


CM 

2.12 

1.83 

2.74 

7.86 


the 95% mission reliability level, Table 3 shows that 
the hybrid architecture is again the most cost effective. 
The fully decentralized architecture is only favored 
over the centralized architecture in the (3,2,£) case, 
and this advantage is less than 10%. It appears that 
at this mission reliability level it is more cost-effective 
to add reliability via extra strings on less expensive 
subordinate nodes than via a fully decentralized ar- 
chitecture. 

At the 99% and 99.7% mission reliability levels, Ta- 
bles 4 and 5 show results that are more in line with the 
single-string results. Again, the hybrid architecture is 
clearly the most cost effective. For the higher mission 
reliability requirements, the minimal (2,2,f) and large 
(30, 20, t) formations are more cost-effectively accom- 
plished with a centralized than a fully decentralized 
design, but the fully decentralized approach appears 
to be cheaper than the centralized for the intermediate 
configurations. The rationale for these results appears 
to be similar to the single-string cases. That is, for 
the (2,2,£) case, there is no reliability advantage for 
the fully decentralized case to combat its extra node- 
level cost, and for the (30, 20, f) case, the large number 
of more expensive peer nodes required outweighs their 
individually lower reliability requirement. 

The bottom of Table 4 contains an additional tier 
of rows that present the results of a direct 5000-case 
monte carlo simulation of the systems that Figures 3, 


Table 5 Results for mission reliability r A / = 0.997 



k 

2 

3 

6 

30 


k m i n 

2 

2 

4 

20 


n 

4 

3 

2 

2 

Dec. 

Qc\ 

.066 

.194 

.181 

.327 


cm 

9.91 

3.87 

5.80 

16.1 


(opt 

- 

2 

3 

4 


n 

- 

3 

2 

2 


rn 

- 

3 

3 

2 

Hyb. 

Qc\ 

- 

.212 

.220 

.334 


Q* l 

- 

.156 

.206 

.320 


cm 

- 

3.16 

4.20 

9.21 


n 

5 

5 

5 

5 


in 

5 

3 

3 

2 

Cen. 

Qd 

.090 

.100 

.098 

.096 


Q* i 

.074 

.168 

.220 

.304 


CM 

7.13 

5.50 

6.93 

12.5 


4, and 5 depict, using the values for q c i, q s \, f, n, and 
m from Table 4. If the analysis used in solving for these 
parameters were incorrect, the monte carlo simulation 
should produce estimates of the mission reliability, i\\j , 
that differ at a statistically significant level from the 
99% mission reliability value used in deriving them. 
As the two bottom rows of Table 4 indicate, this is 
not the case, since the 95% confidence limits on r \f 
bound the assumed value of 99% mission reliability. 
This implies that there is only a 5% probability that 
the true value of lies outside the indicated ranges. 

Partitioning of the Global State Space, 
Data Transmission, and Implications 
for GPS Relative Navigation 

Regardless of the number of capable nodes a partic- 
ular design utilizes, unless it is a fully centralized archi- 
tecture, an important next step in the design process 
is determining how to partition the global state space 
among the various local estimators. Willsky, et al. 9 
showed that the state space for the local estimators 
need only satisy the necessary and sufficient condition 
that there exist matrices M J , where j = 1/2 
such that 

( 21 ) 

where is the map from the global state space to the 
local measurement y-*, and // J is the map from the lo- 
cal state space to the local measurement. Among the 
many possibilities Eq. (21) allows is that the global 
state space could consist of the earth-centered inertial 
states of all the spacecraft, while the local state spaces 
could consist of the earth-centered (‘'absolute' ) states 
of each spacecraft, expressed in any earth-centered co- 
ordinate system, along with the relative states of all 
the other spacecraft with respect to the local space- 
craft, expressed in a local spacecraft-centered coordi- 
nate system. An even simpler approach would have 
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Table 4 Results for mission reliability r\j = 0.99 



rn - 3 2 2 

Hyb. q c i - .214 .270 .386 

q sl - .200 .195 .349 

c M - 2.26 3.29 8.34 



n 

4 

4 

4 

4 


m 

4 

2 

2 

2 

Cen. 

</cl 

.119 

.130 

.126 

.122 


<Fl 

.097 

.166 

.205 

.338 


CM 

4.41 

3.55 

4.71 

10.2 

5000- 

case monte carlo check; 95% confidence limits on r\f : 

Dec. 


[.984,. 990] 

[.987, .992] 

[.987, .992] 

[.988,. 993] 

Hyb. 


- 

[.986, .992] 

[.986, .991] 

[.989, .994] 

Cen. 


[.986, .992] 

[.989,.994] 

[.988,.993] 

[.984, .990] 


all the spacecraft, including the subordinates, locally 
estimate only their own absolute states. The capable 
spacecraft could then difference transmissions of their 
subordinates’ absolute states with their own absolute 


where is the a priori estimate of the data de- 
pendent partition of the state, and F* and G\ are 
computed using the local and global system param- 
eters and covariances. Note that this recursion also 


states to arrive at the relative states which the forma- 
tion control law may require. 

The potential problem with the simple “state vec- 
tor differencing” approach, is that it fails to capture 


requires that each node maintain a local copy of the 
global covariance matrix. Now, when it is time to 
compute a globally optimal state est imate, the capable 
nodes compute and exchange the following vectors 


correlations among the local state spaces that may 
arise through correlated states (e.g. biases common 
to multiple nodes), correlated process noise, and/or 
correlated sources of initialization data. A central- 
ized estimator receiving all the measurement data and 
estimating the full global state space would capture 
these correlations correctly. Speyer 1 proposes a more 
efficient approach for decentralized systems, in which 
local estimators at each node process only local data, 
generating locally optimal but globally suboptimal 
state estimates. A brief summary of this algorithm 
highlighting topics relevant to the present work fol- 
lows, along with a discussion of potential simplifica- 
tions of the local state spaces, and a simple illustrative 
example. 

Minimum Data Transmission 

In Speyer’s algorithm, each node partitions its state 
space into a “control dependent” and “data depen- 
dent” partition. The control dependent partitions 
receive only the initial condition and control update 
information, while the data dependent partition is up- 
dated with a local Kalman filter. The local nodes also 
maintain an additional “data vector hf , at each epoch 
i, with the following recursion: 

hj = F\h J t _ { + G] x * Jj , = 0 (22) 


= Piipfr 1 *; ( 23 ) 

where P, represents the a posteriori global covariance 
matrix and Pf represents the a posteriori local covari- 
ance matrix. All the received j3j are then summed 
with each capable node’s local copy of the control 
dependent partition of the global state space to ar- 
rive at the globally optimal state estimate. Although 
the spacecraft may employ any control, if they use a 
linear-quadratic type of control, they may reduce data 
transmission requirements further. In this case, they 
reconstruct the globally optimal control without re- 
constructing the globally optimal state, by exchanging 
pairs of vectors between every two nodes j and C 
where orj 7 has only the dimension of the control. 1 

In order to propagate the state space of the other 
nodes, each node needs to know the other nodes’ con- 
trols as well the state information. In theory, so long 
as every capable node has the schedule of maneuvers 
and knowledge of the cont rol parameters at every other 
node, the nodes need not exchange the controls, since 
each node can compute the controls that, the others 
perform. In practice, the actual controls may dif- 
fer from the computed controls, so the nodes should 
exchange their maneuvers as well. This control infor- 
mation may also be useful in fault detection. 
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References 10 and 11 studied the optimal fully 
decentralized formation control architecture using 
Speyer’s data transmission framework. In these works, 
all of the states present in the full global state vector 
were maintained by each local estimator, regardless of 
their local observability. These works did not explicitly 
study the importance of the correlations among the lo- 
cal position and velocity states. However, Reference 10 
studied a simplified case with two-body dynamics and 
absolute position measurements similar to GPS point 
solutions, with no measurement biases, so few if any 
correlations should have existed. Reference 11 stud- 
ied a somewhat more complex rase, adding Jn to the 
gravity model as well as measurements of the relative 
position vectors between the satellites, which could 
have introduced some intersatellite state correlation. 

The Role of Correlation in Simplifying the Local 
Estimators 

If Reference 10 is representative of realistic applica- 
tions in terms of the role of correlations, as Reference 4 
indicates it may be for some relative GPS applications, 
then the data transmission framework is not required, 
potentially offering significant simplification of the lo- 
cal estimators. In this case, all nodes could dispense 
with the burden imposed by Eqs. (22) and (23) and 
they could estimate and exchange only their own ab- 
solute positions and velocities. Most GPS receivers 
for space applications already perform this function, 
although as Reference 12 describes, not all have done 
as good a job of this as one might expect. Otherwise, 
it may be important to implement the data exchange 
framework. 

In the context of the partially decentralized architec- 
ture, the minimal data transmission approach forms an 
efficient framework for the peer-to-peer decentralized 
control in which the capable nodes engage. If correla- 
tions are significant, the capable nodes would exchange 
the /3j’s at scheduled maneuver epochs in order to op- 
timally estimate the entire global state space for use in 
computing the maneuvers, as Figure 6(a) shows. Nom- 
inally, the subformations would operate as centralized 
frameworks with the subordinates sending measure- 
ments to their respective capable node for processing. 
The minimal data transmission framework could also 
serve as a decentralized estimation scheme at the level 
of the sub-formations, as Figure 6(b) shows. Here 
each node would be responsible for its own local state 
estimation, and the capable nodes would perform a 
fusion of the local estimates, using Eq. (23). At the 
sub-formation level, the minimal data transmission ap- 
proach could substantially reduce data transmission 
requirements over the centralized approach of sending 
all the measurement data. If correlations are signifi- 
cant, sending measurements as in Figure 6(a) instead 
of employing the minimal data transmission frame- 
work as in Figure 6(b) will generally impose a higher 



Fig. 6 Data Transmission Options for the Partially 
Decentralized Architecture 

data transmission burden as a cost of of simpler local 
processing. If correlations are weak, and the network 
exchanges only state estimates, then the unicast net- 
work of Figure 6(c) requires a simpler communications 
topology than the broadcast network of Figure 6(d), 
but may induce additional delays since the capable 
nodes must act as relays. 


Example 

To examine these issues, consider the following sim- 
ple example problem. The example system consists of 
two nodes, denoted by j = 1,2, each of which makes 
bias-corrupted measurements of a unique position: 


vi ~ H + l*i + l i' (* 24 ) 


where = 0,E[i-/(t>j) T ] = RjS ih . The position rj 

is a random walk: 


rj(t) = u^tl (25) 

where E|W(tf)] = 0 , E[t/^(<)(u^) T (r)] = Q(tyS(t,r). 
The bias and initial position are random constants: 

frj = 0, (26) 

where E[fr>] = 0, E[fr{ ) T ] = P, 6j , and E[rj] = 
0,E[r{(rj) T ] = P[ J . The example compares a cen- 
tralized estimator processing all the measurements to 
a suboptimal decentralized estimator that processes 
only local measurements, and performs no information 
exchange. The goal of the example is to estimate the 
relative state, rf-r- , by differencing the absolute state 
estimates, and its covariance matrix. Both filters esti- 
mate the position and bias as states. The centralized 
filter maintains the full 4x4 covariance, while the local 
suboptimal filters only maintain the 2x2 covariances 
corresponding to their local estimates. Therefore, only 
the centralized filter has access to the cross-covariance 
between position 1 and position 2, which appears in 


9 OF 11 


American Institute op Aeronautics and Astronautics Paper DRAFT 


the calculation of the relative state covariance, 

prel _ pr\ + pr2 _ pr 12 _ (/>r21 )T . (27) 


The cross-covariance P, r12 contains the correlations 
that generate the need for data exchange. If these 
correlations are not significant, then / J ,’ 1 ~ ~ 0, and 
the suboptimal local filters should be nearly optimal 
at estimating the relative states, even without data 
exchange. 

The example consists of three cases. In the first, 
there are no correlations among any of the ran- 
dom variables, i.e. E[r}(ri) T ] = 0, E[6{(6j) T ] = 0, 

E[vj (t>?) T ] = 0 Vi, E[w} (tuf ) T ] = 0 V i. In the second 
case, the biases are perfectly correlated i.e. b\ = bf. 

In the third case, the process noises are perfectly cor- 
related, i.e. wj = wf V The first case abstracts 
a scenario similar to that studied in Reference 4, in 
which the spacecraft are at altitudes above the iono- 
sphere, and there is no SA, so that channel-dependent 
range biases may be insignificant, and significant cor- 
relations among the local state spaces do not arise. 

Figure 7(a) illustrates the results of covariance and 
monte carlo analysis of this case. The second case is 
an extreme example of the kind of situation that oc- 
curs when two receivers track the same (iPS satellite, 
and the measurements they make contain the same 
SA and/or ionosphere bias, as occurred in some of the 
results in References 2 and 3. Figure 7(b) illustrates 
the results of covariance and monte carlo analysis of 
this case. The third case is an extreme example of 
the kind of situation that occurs when the filters use 
process noise to account for missing dynamics terms, 
such as higher-order gravity. If the spacecraft are close 
to each other, the same acceleration “noise” due to 
the neglected dynamics will affect both of them. Fig- 
ure 7(c) illustrates the results of covariance and monte 
carlo analysis of this case. 

In the first case where there is no correlation, the lo- 
cal suboptimal filters 1 covariance closely matches the 
actual covariance of the 30 monte carlo cases, and the 
performance appears to be indistinguishable from that 
of the centralized filter. In this case, then, data ex- 
change is superfluous. The other two cases exhibit 
significant differences in performance between the cen- 
tralized and local filters. In the case of the common 
bias, the local filters perform somewhat worse than 
the centralized, and substantially overestimate their 
covariances. In the equal process noise case, the cen- 
tralized filter's performance is much better than that, 
of the local filters, but the local filters at least cor- 
rectly estimate their covariances. If either of these 
cases is representative of the actual scenario, then data 
exchange will likely be a requirement. 

1 0 OP 1 1 

American Institute of Aeronautics and Astronautics Paper DRAFT 


Tnte Avg = 0.19067; Time RMS = 1 .5055 30 Cases 



Epoch 


Tarte Avg * 0 18667, Time RMS = 1 5055 30 Cases 



Epoch 

a) Example Problem Results: No Correlation 


Time Avg - -O 018206. Time RMS = 0 727 5 30 Cases 



Epoch 


Time Avg = 0.0005483*. Time RMS = 0.49221 30 Cases 



Epoch 

b) Example Problem Results: Equal Bias 


Tme Avg - -0 0561 14; Time RMS = 0 98321 , 30 Cases 



Epoch 


Time Avg. * -0 013296 Time RMS = 0 337 30 Cases 



Epoch 

c) Example Problem Results: Equal Process Noise 

Fig. 7 Thick solid lines are ensemble means. Light 
dashed lines are filters' 3<r bounds. Heavy dashed 
lines are ensemble 3*RMS bounds. 








Summary, Conclusions, and Future 
Directions 

This study has presented analytic models for the 
reliabilities of centralized, fully decentralized, and 
hybrid, partially decentralized control architectures. 
Coupled with a cost model, these models may be 
used to find the most cost-effective architecture, from 
the standpoint of the guidance, navigation, and con- 
trol function, for a given mission. In case studies of 
four architectures proposed for satellite formation fly- 
ing missions, along with an assumed cost model, the 
partially decentralized architecture always achieved 
the required mission-level reliability at much lower 
cost than either the fully decentralized or the central- 
ized approaches. The number of capable nodes that 
achieved the lowest cost for the hybrid architecture 
tended to be higher when the fully decentralized archi- 
tecture was more favorable than the centralized, and 
vice versa. 

The study found that the fully decentralized archi- 
tecture is more cost-effective than the centralized for 
smaller formations that can tolerate a few failures, 
especially for higher mission-level reliability require- 
ments. One can attribute this to the graceful degrada- 
tion capability inherent in a decentralized architecture 
better taking advantage of the surplus nodes in failure 
scenarios. 

The centralized architecture is favorable over the 
fully decentralized for a minimal formation of only 
two satellites. In this case, the fully decentralized ar- 
chitecture requires similar node-level reliability to the 
centralized case, so its requirement for two capable 
nodes makes it less cost-effective. 

For larger formations, the additional cost of the 
many capable nodes the fully decentralized architec- 
ture requires again may put it at a disadvantage in 
comparison to the centralized approach, especially 
when the mission-level reliability requirement is lower. 
For such cases, the hybrid architecture is especially 
appealing, since with only a few capable nodes, such a 
configuration can overcome the single-point failure dis- 
advantage of the centralized architecture, while avoid- 
ing the additional cost of making every node a fully 
capable peer. 

Nominally, the nodes chosen as supervisors each 
serve as centralized estimation and control nodes for 
their respective subsets of subordinate nodes, and the 
supervisors act as decentralized estimation and control 
peers with respect to each other. However, for many 
currently proposed formation flying missions that will 
use GPS, if significant correlations among the local 
state spaces do not arise, simplifications of the local 
estimators that preserve the global optimality of the 
maneuvers commanded by the supervisors may be pos- 
sible. 

Further work should bring in the concept of time, so 
that failure rates and mean time between failures can 


be compared with desired mission lifetimes. Future 
work should also consider cost models based on actual 
design and build experience. More detailed relative 
navigation studies also need to be performed in the 
context of the centralized/decentralized architecture 
trade. 
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